Security Experts:

Lessons Learned From High-Profile Exploits

In 2020, malicious actors took full advantage of the expanded threat landscape created by the increase in remote work. We saw the reappearance of older malware targeting older, unpatched devices in home networks, a seven-fold increase in ransomware attacks, and one of the most significant supply chain hacks in recent years. And so far, 2021 is following that theme with the recent attempts by cyber adversaries using a variety of attacks to exploit several Microsoft Exchange Server vulnerabilities and a continued assault with ransomware. 

Given the rapid expansion of the potential attack surface, the interconnection of devices and data across a larger digital environment, and the inconsistent and fragmented approach to security taken by many organizations, cybersecurity risk has never been greater. As the saying goes, there’s no rest for the weary—and the recent spate of ransomware and other attacks looking to exploit newly revealed critical system vulnerabilities are just the latest in an escalating campaign by increasingly motivated and sophisticated criminals. And that means cybersecurity professionals have to stay vigilant and prepared.

Understanding the tactics of cybercriminals

But while HAFNIUM may have been among the first to target the Microsoft Exchange vulnerabilities as an example, they will certainly not be the last until patched. Campaigns like these demonstrate a classic strategy of cybercriminals. Once a high-profile vulnerability has been revealed, cybercriminals immediately attempt to make the most of it. They rely on two things. First, they are hoping to exploit the gap between the disclosure of vulnerabilities and when organizations begin to apply patches and updates. In most cases, exploits targeting newly released vulnerabilities show up within a few hours of a vulnerability being made public. While zero-day exploits are the most valued because they can target a vulnerability discovered by a cybercriminal and for which no patch currently exists, they are rare and expensive. The next best thing for them is to target newly announced vulnerabilities, also known as “N-Days”. 

 

Don't Miss: The Inside Story of the Microsoft Exchange Hack - Presented at SecurityWeek's Threat Intelligence Summit on May 25 - Register ]

And that leads to the second attack strategy. While the majority of potential victims will deploy patches and updates within the first several days of their being released, there are invariably large numbers of organizations that can take weeks or months—if ever—to update their systems. And that means that we can expect to see cybercriminals launch new campaigns targeting these vulnerabilities for years to come.  In fact, the average “shelf life” for a vulnerability – in terms of how long they’ll still be widely commoditized – is two to three years.

Next steps and best practices 

Although every network environment is unique, there are steps any organization can begin to implement now to reduce their risk from ransomware and other advanced threats:

• Ensure that access controls like multifactor authentication, zero-trust access, and even Network Access Control (NAC) solutions are in place 

• Tie access controls to dynamic segmentation and then use those network partitions to create security zones that can stop the spread of infection

• Use change control processes to implement a plan for ensuring you can rapidly respond to emergency patches

• Ensure that all endpoint devices have advanced security installed, including anti-exploit and endpoint detection and response (EDR) solutions 

• Update email and web security gateways to identify and effectively filter out malicious email attachments, website links, and files.

• Make sure network IPS signatures are updated, as well as device antivirus and anti-malware tools. This is especially critical when you need to protect devices that cannot be updated or patched

• Back up your systems and then store the backups off network – along with any devices and software needed in the event of a network recovery 

• Ensure that CDR (content disarm and recovery) solutions are in place to deactivate malicious attachments

• Use forensic analysis tools to identify where an infection came from, how long it has been in an environment, which devices were along the attack path, etc.

• Conduct cybersecurity awareness training to account for one of the biggest unknowns: the people who use your devices and applications

• Deploy a sandbox to securely discover, execute and analyze new or unrecognized files, documents, or programs

• Block unauthorized SaaS applications with a CASB solution

All of these and similar steps should geared toward a single goal: leveraging people, technology, and processes to quickly gather and correlate threat intelligence about active attacks on a network and to automatically respond using a coordinated strategy that leverages all relevant security and technologies regardless of where they are deployed.  

Lessons learned and moving into the future 

As mentioned, we are only seeing the tip of the iceberg when it comes to exploit attempts targeting these latest high-profile vulnerabilities. Additional targeted attacks, especially more ransomware, are destined to come, and they will dearly cost those businesses that fail to respond quickly. Many of today’s malware and ransomware attacks are a completely different game because they are being specifically crafted and targeted at certain internal systems. The target assets are no longer just about data, but also about services that can be disrupted and held for ransom. This approach is providing to have a higher return-on-investment for cyber criminals.

Because attackers like to follow the path of least resistance, they are constantly keeping an eye out for the weakest link in security. That could be people, technology, supply chains or bad cyber hygiene. Which means that organizations need to either be continually upping their game, or they need to implement a security-driven security strategy designed to adapt to a constantly evolving threat landscape.

Prepared for attacks

Ransomware isn’t going anywhere—and it’s not only going to get more sophisticated, but we’re also going to continue to see an increase in the volume of attacks due to the growth of Ransomware-as-a-Service. And as the targets of ransom become higher-profile, risk is not just increasing for organizations, but the costs will continue to climb. This is creating a feedback loop in which ransomware efforts become increasingly lucrative for cybercriminals. The efforts to exploit the latest Microsoft Exchange Server vulnerabilities are just the latest examples receiving global attention, but they are merely a harbinger of things to come. They are a clarion call to cybercriminals to join in as well as to organizations to adopt and implement security better practices related to managing vulnerabilities. 

Bad actors act quickly, so IT security teams must patch quickly, effectively, and comprehensively, because the bad guys only need one vulnerability to bring down the whole network. The recommended actions listed above are a good checklist to compare current security practices to, but they are just a starting place. They are designed to complement a comprehensive security architecture built around an integrated security platform that can be broadly deployed, actionable threat intelligence, automation designed to leverage AI, and unified management for centralized visibility, orchestration, and control. As ransomware becomes more targeted—and therefore more dangerous—organizations that implement these strategies will be well-positioned to defeat whatever exploits come next.

view counter
Derek Manky is Chief of Security Insights and Global Threat Alliances at Fortinet’s FortiGuard Labs. Derek formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy worldwide at premier security conferences. As a cybersecurity expert, his work includes meetings with leading political figures and key policy stakeholders, including law enforcement. He is actively involved with several global threat intelligence initiatives including NATO NICP, INTERPOL Expert Working Group, the Cyber Threat Alliance (CTA) working committee and FIRST – all in effort to shape the future of actionable threat intelligence and proactive security strategy.